Week 9: Web Security and JavaScript Building Secure Servers

1
Week 9 Web Security and JavaScriptBuilding
Secure Servers

• The primary means of avoiding intrusion is to
  keep up to date with security patches for your OS
  
• Secondly, your server should only activate the
  minimum IP ports to fulfill its function. All
  others should be disabled
• Check the system regularly for unusual files or
  system activity, some tools can automate this
  (eg. tripwire)
• Put valuable data on another system, connected
  with a secure link and protected by a firewall
• Encrypt valuable data and encrypt traffic over
  the network to avoid network sniffers

2
Firewalls

• A firewall is a means of restricting the traffic
  between the internet and a local area network
• The firewall server is connected directly to the
  internet and routes packets from the internet to
  local machines on a separate network
• The firewall doesn't allow direct access to any
  local machine and can block or filter traffic on
  most IP ports

3
Encryption

• Encryption is a means of hiding the message being
  transmitted or stored
• Key based encryption uses a key of a given size
  (number of bits) to encrypt the message. More
  bits means more possible keys and therefore more
  security There are 3.4 x 1038 128 bit keys
• Symmetric or secret key encryption uses the same
  key to encrypt and decrypt a message
• But how do we exchange the key securely?
• Asymmetric or public key encryption uses
  different keys to encrypt and decrypt. The public
  key can be published for use by anyone to send me
  a secret message

4
Using Public Key Cryptography

• In public key cryptography, each key is used to
  perform a one-way transformation on the message
  which only the other key can reverse
• To exchange a secret message encrypt with
  receiver's public key, decrypt with private key
• To verify senders identity encrypt with senders
  private key, if public key decrypts then it's
  authentic
• To digitally sign a message generate a string
  from the message (use a hashing function) and
  encrypt this string with your private key
• To verify the signature we decode the string and
  verify that it matches the string produced by
  hashing the message
• Verifies the sender and the message

5
SSL Secure Socket Layer

• To avoid sending sensitive data in clear text
  over the internet, the SSL standard defines a way
  of establishing an encrypted IP connection
• Designed by Netscape Communications Corporation
• URLs that begin with https indicate an SSL
  connection
• SSL is based in public key encryption
• SSL can be used to forward traffic on any
  internet port, it can secure telnet, pop, ftp or
  www traffic
• SSL is an open standard, implemented in web
  browsers and for various operating system
  services

6
Who Needs Secure Services

• Any e-commerce site where sensitive information
  is being transferred credit card numbers, names,
  addresses, etc
• Service providers such as Hotmail which store
  personal data for users
• Repositories of commercial or restricted
  materials
• Requirements range from verifying the identity of
  users to protecting server side storage and
  encrypting messages between client and server

7
Verifying Identity

• We've seen how to use CGI scripts to check a
  user's password against a stored database
• While this is adequate for low level security it
  is prone to abuse
• One solution is to use SSL to transmit the CGI
  request the https protocol. This is implemented
  by the major browsers and connects to the server
  using SSL
• To be more sure of your client's identity you can
  issue them with a digital certificate based on
  public key cryptography. This can be sent instead
  of a cookie by supporting browsers

8
Secure Data Transmission

• Transmission of sensitive data must use some kind
  of encryption SSL via https
• n.php" method"post"
• 
  Login Name
  e" VALUE""
• Password
• The client might also want some way of verifying
  your identity you could send your digital
  certificate to them

9
Digital Certificates

• If you want to convince your clients that you are
  who you say you are then you need to give them
  something that only you can have
• A digital certificate is just such a thing. This
  contains
• Your name and contact details
• Your public key
• Details of a certifying authority
• This information is then digitally signed with
  the public key of the certifying authority
• The user can check the validity of the message
  and then use your public key to communicate with
  you
• This implies that the certifying authority can be
  trusted!

10
Example

• Certificate
• Data
• Version 0 (0x0)
• Serial Number 0 (0x0)
• Signature Algorithm md5withRSAEncryption
• Issuer CZA, SPWestern Cape, LCape Town,
  OThawte Consulting cc, OUCertification
  Services, CNwww.thawte.com, Emailwebmaster_at_thawt
  e.com
• Validity Not Before Nov 14 171525 1996 GMT Not
  After Dec 14 171525 1996 GMT
• Subject CZA, SPWestern Cape, LCape Town,
  OThawte Consulting cc, OUCertification
  Services, CNwww.thawte.com, Emailwebmaster_at_thawt
  e.com
• Subject Public Key Info
• Public Key Algorithm rsa Encryption
• Modulus 009a9225eda4776923d453052b1f
  3a 5532bb26de0a48d8fcc8c0c877f65d
  61fd1b33234ff4a82d9644c95fc26e
  456a9a21a328d327a67219451e9c80
  a594ac8a67
• Exponent 65537 (0x10001)
• Signature Algorithm md5withRSAEncryption
  7c8e7b58b90e284c90ab2083619eab782b
  a4 5439807bb9d949b3b22afe8a52f4c2
  890e5c 7b92f8cb773f56229d968bb905c
  41801bc40 eebc0efefcf89b9d70e3

11
Security and Client Side Programming

• Security is a major issue when you allow unknown
  and untrusted agents to run programs on your
  computer.
• There are two general approaches to dealing with
  this issue
• Restrict the things that the client side programs
  are allowed to do.
• Implement some kind of validation and
  verification of the source of programs.

12
Security and Client Side Programming

• JavaScript takes the first approach, you can't,
  for example, read and write local files from
  JavaScript.
• Other client side languages provide a restricted
  subset of the full language to untrusted
  programs. Eg. Java and Safe Tcl.
• ActiveX takes the second approach. An ActiveX
  program can do anything but is signed and
  encrypted to help ensure that it comes from
  someone you trust.
• Note that writing to local disk isn't the only
  security risk. Others include capturing and
  sending data to remote sites and denial of
  service.
• refer to ActiveX security vs. Java security
• http//www.cs.princeton.edu/sip/java-vs-activex.ht
  ml

13
Using JavaScript

• JavaScript is another scripting language not
  unlike Perl, Tcl and Python.
• Has the usual control structures etc.
• JavaScript variables can hold
• Numbers integer and floating point
• Booleans true, false
• Strings "Hello World!"
• Objects myObj new Object()
• Null empty, no value
• Undefined value is not defined
• The usual range of comparison and arithmetic
  operators.
• String concatenation with "Age" "20" gives
  "Age 20"
• C style conditional operators

14
Example

• // Script by http//www.mimanet.com/scripts/
• theDate new Date()
• var months new Array('January','February',
  'March','April','May','June','July','August',
  'September','October','November','December')
• var day theDate.getDate()
• var textdate 0
• if (theDate.getYear()
• textdate monthstheDate.getMonth() ' ' day
  ', ' (theDate.getYear() textdate)
• document.write(textdate)

15
Using JavaScript

• JavaScript code is embedded in web page headers
  within tags.
• Either embed the script directly (note the use of
  HTML and Javascript comments)
• ... language"Javascript"
• Or refer to an external script file

16
Javascript Event Handlers

• Initial Javascript gets called when page is read
  into browser.
• Can add calls to Javascript for certain events
  associated with page elements
• "javascript code"

17
JavaScript and the Browser

• The most important data structure available to
  your JavaScript program is the browser and it's
  model of the current HTML page.
• These are represented in JavaScript as objects
  and you can query them and in many cases modify
  them in your scripts.
• The HTML page is modelled via the Document Object
  Model. In the newer browsers (IE 5, NS 6) this is
  very similar to the XML DOM.
• Scripts also have access to CSS properties of the
  document elements.

18
Document Object Model
19
Document Object Model

• // get the first table in the document table
  document.getElementsByTagName("table").item(0)
• // get the first td in the second tr row
  table.getElementsByTagName("tr").item(2) cell
  row.getElementsByTagName("td").item(0)
• // get the contents of the cell txt
  cell.childNodes.item(0).nodeValue
• document.write(txt)

20
Some Javascript Idioms

• Javascript gets used for many tasks within web
  pages, look at some of the common examples
• Mouseover Actions
• Form validation
• Popup windows
• Ajax

21
Imager Rollovers and Pop Up windows

• onMouseOver"document.picture.srcpic2.jpg'"
  onMouseOut"document.picture.srcpic1.jpg'"/
• function mypopup()
  win window.open("", "mywindow",
  "height100,width100") win.location
  "http//www.eelab.usyd.edu.au/" ...
  Click Here!!!

22
Form Validation

• While we can validate form data on the server,
  the user would get a quicker response if we did
  some work on the client side.
• Simple checks like incomplete submission and even
  email validation can be carried out in
  Javascript.
• Javascript can also access and create cookies

23
Ajax

• Asynchronous Javascript and XML
• The browser requests data from the server in the
  background
• The data is used to modify the content of the
  current page
• Faster response times since whole pages don't
  need to reload
• Basic requirement is XMLHttpRequest
  http//en.wikipedia.org/wiki/XMLHttpRequest
• Eg Google Suggest

24
XMLHttpRequest (XHR)

• XMLHttpRequest (XHR) is an API that can be used
  by JavaScript and other web browser scripting
  languages to transfer XML and other text data
  between a web server and a browser. Though it can
  do synchronous fetches, it is almost always
  asynchronous, due to the greater UI
  responsiveness.
• The data returned from XMLHttpRequest calls will
  often be provided by back-end databases. Besides
  XML, XMLHttpRequest can be used to fetch data in
  other formats such as HTML, JSON or plain text.
• XMLHttpRequest is an important part of the Ajax
  web development technique, and it is used by many
  websites to implement responsive and dynamic web
  applications. Examples of web applications that
  make use of XMLHttpRequest include Google Maps,
  Windows Live's Virtual Earth, the MapQuest
  dynamic map interface, Facebook, and many others.